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, Abstract 

O 

We present an afRne-intuitionistic system of types and effects which can be regarded 
as an extension of Barbcr-Plotkin Dual Intuitionistic Linear Logic to muhi-threaded pro- 
^ ■ grams with effects. In the system, dynamicaUy generated values such as references or 

On ! channels are abstracted into a finite set of regions. We introduce a discipline of region us- 

age that entails the confluence (and hence determinacy) of the typable programs. Further, 
we show that a discipline of region stratification guarantees termination. 
Keywords: Linear logic. Types and Effects. Confluence. Termination. 



^ ■ 1 Introduction 



There is a well-known connection between intuitionistic proofs and typed functional programs 
^ ■ that goes under the name of Curry-Howard correspondence. Following the introduction of 

linear logic [9], this correspondence has been refined to include an explicit treatment of the 
process of data duplication. Various formalisations of these ideas have been proposed in the 
literature (see, e.g., O [H [TTJ [13 12] ) and we will focus here in particular on Affine-intuitionistic 
Logic and, more precisely, on an affine version of Barber-Plotkin Dual Intuitionistic Linear 
Logic (DILL) as described in [2]. 

In DILL, the operation of A-abstraction is always affine, i.e., the formal parameter is used 
at most once. The more general situation where the formal parameter has multiple usages 
is handled through a constructor '!' (read bang) marking values that can be duplicated and 
a destructor let filtering them and effectively allowing their duplication. Following this idea, 
e.g., an intuitionistic judgement is translated into an affine-intuitionistic one as follows: 

y : A\- \x.x{xy) : [A A) ^ A (intuitionistic) 
y : {oQ,A) h Aa::.let !a; = a; in x\{x\y) : \[\A A) ^ A (aff.-intuitionistic) 



We recall that in DILL the hypotheses are split in two zones according to their usage. 
Namely, one distinguishes between the affine hypotheses that can be used at most once and 
the intuitionistic ones that can be used arbitrarily many times. In our formalisation, we will 
use 'l' for the former and 'oo' for the latter. 
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Our purpose is to explore an extension of this connection to multi-threaded programs 
with effects. By extending the connection, we mean in particular that the type system should 
guarantee confluence (and hence determinism) and termination of the typable programs while 
preserving a reasonable expressive power. By multi-threaded program, we mean a program 
where distinct threads of execution may be active at the same time (as it is typically the 
case in concurrent programs) and by effect, we mean the possibility of executing operations 
that modify the state of a system such as reading/writing a reference or sending/receiving a 
message. 

We will start by introducing a simple-minded extension of the purely functional language 
with operators to run threads in parallel while reading/modifying the state which is loosely 
inspired by concurrent extensions of the ML programming language such as [8] and |18j . 
Following a rather standard practice (see, e.g., |15l I20| ). we suppose that dynamically gen- 
erated values such as channels or references are abstracted into a finite number of regions. 
This abstraction is reflected in the type system where the type of an address depends on the 
region with which the address is associated. Thus we write Reg^^ for the type of addresses 
containing values of type A and relating to the region r of the store. 

Not surprisingly, the resulting functional-concurrent language is neither confluent nor 
terminating. However, it turns out that there are reasonable strategies to recover these 
properties. The general idea is that confluence can be recovered by introducing a proper 
discipline of region usage while termination can be recovered through a discipline of region 
stratification. 

The notion of region usage is reminiscent of the one of hypotheses usage arising in affine- 
intuitionistic logic. Specifically, we distinguish the regions that can be used at most once 
to write and at most once to read and those that can be used at most once to write and 
arbitrarily many times to read. 

The notion of region stratification is based on the idea that values stored in a region 
should only produce effects on smaller regions. The implementation of this idea requires a 
substantial refinement of the type system that has to predict the effects potentially generated 
by the evaluation of an expression. This is where type and effect systems, as introduced in 
[15], come into play. 

It turns out that the notions of region usage and region stratification combine smoothly, 
leading to the definition of an affine-intuitionistic system of types and effects. The system has 
affine-intuitionistic logic as its functional core and it can be used to guarantee the determinacy 
and termination of multi-threaded programs with effects. 

Related work Girard, through the introduction of linear logic [9], has widely promoted a 
finer analysis of the structural rules of logic. There have been various attempts at producing 
a functional programming language based on these ideas and with a reasonably handy syntax 
(see, e.g., [31 HI [T71 [HI [2]). The logical origin of the notion of usage can be traced back to 
Girard's LU system [TOj and in particular it is adopted in the Barber-Plotkin system [2] on 
which we build on. 

A number of works on type systems for concurrent languages such as the vr-calculus have 
been inspired by linear logic even though in many cases the exact relationships with logic are 
at best unclear. In particular, Kobayashi et al. J4] introduce a type-system with 'use-once' 
channel types that guarantees confluence. Clearly, this approach inspires our conditions for 
confluence. Let us also recall that Kobayashi et al. (see, e.g., [iHl [12]) have produced type 
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x,y,... 

V :■- *\x \ Xx.M I IV 

M :■- V II MM II \M II let \x ^ M \n M 



(Variables) 
(Values) 



lyx M II set(a;, V) || pset(x-, V) || get(x) || (M \ M) 
S ::= {x ^ V) II {x <= V) II (S I S) 
P :■- M II S ||(P I P) II vx P 
E :■-[] II EM II V£ II \E II let Is: = £ in M 
C ■.:=[] I (C 1 P) I (P I C) I ^.x C 



(Terms) 
(Stores) 
(Programs) 
(Evaluation Contexts) 
(Static Contexts) 



Table 1: Syntax: programs 



systems with a much more elaborate notion of usage than ours (a usage can be almost as 
complex as a CCS process) and shown that they can guarantee a variety of properties of 
concurrent programs such as absence of deadlock. 

It is well known that intuitionistic logic is at the basis of typed functional programming. 
The type and effect system introduced in [TH] is an enrichment of the intuitionistic system 
tracing the effects of imperative higher-order programs acting on a store. The system has 
provided a successful static analysis tool for the problem of heap-memory deallocation |20j . 
More recently, this issue has been revisited following the ideas of linear logic |23^ [7j . 

The so called reducihility candidates method is probably the most important technique 
to prove termination of typable higher-order programs. Extensions of the method to 'func- 
tional fragments' of the vr-calculus have been proposed, e.g., in |24lll9j . Boudol [6] has shown 
that a stratification of the regions guarantees termination for a multi-threaded higher-order 
functional language with references and cooperative scheduling. Our formulation of the strat- 
ification discipline is actually based on [1] which revisits and extends [6]. 

Structure of the paper Section [2] introduces an affine-intuitionistic system with regions 
for a call-by- value functional-concurrent language. Section [3] introduces a discipline of region 
usage that guarantees confluence of the typable programs. Section H] enriches the affine- 
intuitionistic system introduced in section [2] with a notion of effect which provides an upper 
bound on the set of regions on which the evaluation of a term may produce effects. Finally, 
section [5] describes a discipline of region stratification that guarantees the termination of the 
typable programs. Proofs of the main results are available in appendix lAl 

2 An afRne- intuitionistic type system with regions 
2.1 Syntax: programs 

Table [T] introduces the syntax of our programs. We denote variables with x,y, . . and with 

V the values which are included in the category M of terms. Stores are denoted by S, 
and programs P are combinations of terms and stores. We comment the main operators 
of the language: * is a constant inhabiting the terminal type 1 (see below), Xx.M is the 
affine abstraction and MM the application, ! marks values that can be duplicated while 
\e.t \x = M m N filters them and allows their multiple usage in N , in vx M the operator u 
generates a fresh address name x whose scope is M, set(2;, V) and pset(2;, V) write the value 

V in a volatile address and a persistent one, respectively, while get(3;) fetches a value from the 
address x (either volatile or persistent), finally (M | N) evaluates in parallel M and N . Note 
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P\ P' = P' \ P (Commutativity) 

(P I P') \P" = P\ (P' I P") (Associativity) 

ux P\P' = ux {P\ P') X ^ FV{P') {i^O 

E[ux M] = vx E\M\ X i FV{E) {ue) 

E[{\x.M)V] E[[V/x]M] 

E[\et \x = \V in M] ^ E[[V/x]M] 
E[set{x, V)] E[*] I (x- ^ V) 

£;[pset(2;, V)] ^ E[*] \ {x ^ V) 

E[get{x)] lix^V) ^ E[V] 
E[get{x)] I {x <= W) E[\V] I (x <= \V) 



Table 2: Operational semantics 

r,r',... (Regions) 

a:~B\A (Types) 

A::=1\A^ A\\A \ Reg^A (Value- types) 

r xi ■ (ui, Ai), . . . ,Xn : {un,An) (Contexts) 

R ::= n : {Ui,Ai), . .. ,r„ : {U„,A„) (Region contexts) 



Table 3: Syntax: types and contexts 



that when writing either Xx.M, or fx M, or let !x = in M the variable x is bound in M. 
As usual, we abbreviate {\z.N)M with M; N, where z is not free in N. Evaluation contexts 
E follow a call-by-value discipline. Static contexts C are composed of parallel composition 
and z^'s. Note that stores can only appear in a static context. Thus M = V{set{x, V'); V") is 
a legal term while M' = V{V" \ (x <— V)) is not. 



2.2 Operational semantics 

Table [2] describes the operational semantics of our language. Programs are considered up to 
a structural equivalence = which is the least equivalence relation preserved by static contexts, 
and which contains the equations for a-renaming, for the commutativity and associativity of 
parallel composition, for enlarging the scope of the operators to parallel programs, and for 
extracting the v from an evaluation context. We use the notation [V/x] for the substitution of 
the value V for the variable x. The reduction rules apply modulo structural equivalence and 
in a static context C. For instance, the program {{I'x \y.M){ux' \x' .M'))V \ P is structurally 
equivalent (up to some renaming) to ux ux' {{\y.M)[\y' .M'))V \ P. This transformation 
exposes the term E[{\y.M)[Xy' .M')] in the static context C = ux ux' [ ] | -P, where the 
evaluation context £^ is {]V . 



2.3 Syntax: types and contexts 

Table [3] introduces the syntax of types and contexts. We denote regions with r, r', . . . and 
we suppose a region r is either volatile (V(r)) or persistent {V{r)). Types are denoted with 
a, a', . • •• Note that we distinguish a special behaviour type B which is given to the entities 
of the language which are not supposed to return a value (such as a store or several values 
in parallel) while types of entities that may return a value are denoted with A. Among the 
types A, we distinguish a terminal type 1, an affine functional type A — o i?, the type \A of 
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terms of type A that can be duplicated, and the type Reg^^ of addresses containing values 
of type A and related to the region r. Hereby types may depend on regions. 

Before commenting variable and region contexts, we need to define the notion of usage. 
To this end, it is convenient to introduce a set with three values {0, 1, 00} and a partial binary 
operation l±) such that xl±lO = Ol±)2; = x, (X)l+)oo = oo and which is undefined otherwise. 

We denote with u a variable usage and assume that u is either 1 (a variable to be used 
at most once) or 00 (a variable that can be used arbitrarily many times). Then a variable 
context (or simply a context) T has the shape: xi : {ui,Ai), . . . ,Xn : {un,An), where Xi are 
distinct variables, Uj G {l,oo} and Ai are types of terms that may return a result. Writing 
X : (u, A) means that the variable x ranges on values of type A and can be used according to 
u. We write dom{T) for the set {xi, . . . ,x„} of variables where the context is defined. The 
sum on usages is extended to contexts componentwise. In particular, if x : (ni,^) G Fi and 
X : {u2, A) G r2 then x : (ui tt) U2, A) G (Fi l±) r2) only if ui 1+) U2 is defined. 

We are going to associate a usage with regions too, but in this case a usage will be a two 
dimensional vector because we want to be able to distinguish input and output usages. We de- 
note with U an element of one of the following three sets of usages: {[00, cxd]}, {[1, 00], [0, 00]}, 
{[0, 0], [1,0], [0, 1], [1, 1]}, where by convention we reserve the first component to describe the 
output usage and the second for the input usage. Thus a region with usage [1, 00] should be 
written at most once while it can be read arbitrarily many times. 

The addition C/i 1+) C/2 is defined provided Ui and U2 are in the same set of usages and 
moreover the componentwise addition is defined. For instance, if Ui = [00, 00] and U2 = [0, 00] 
then the sum is undefined because Ui and U2 are not in the same set while if f/i = [1, 00] and 
U2 = [1,00] then the sum is undefined because 1 l±l 1 is undefined. Note that in each set of 
usages there is a neutral usage Uq such that C/q tt) C/ = C/ for all U in the same set. 

A region context R has the shape: 

n: {Ui,Ai),...,rn: {Un,An) (1) 

where are distinct regions, Ui are usages in the sense just defined, and Ai are types of terms 
that may return a result. The typing system will additionally guarantee that whenever we 
use a type Regj.A the region context contains an hypothesis r : (U, A) for some U. Intuitively, 
writing r : {U, A) means that addresses related to region r contain values of type A and that 
they can be used according to the usage U. We write dom[R) for the set {ri, . . . , r„} of the 
regions where the region context is defined. As for contexts, the sum on usages is extended 
to region contexts componentwise. In particular, if r : (C/i, A) G -Ri and r : {U2,A) G R2 
then r : (C/i tt) U2,A) G {Ri tt) R2) only if Ui tt) U2 is defined. Moreover, for {Ri td R2) to be 
defined we require that dom{Ri) = dom{R2). There is no loss of generality in this hypothesis 
because if, say, r : {U,A) G Ri and r ^ dom{R2) then we can always add r : {Uq,A) to R2 
where Uq is the neutral usage of the set to which U belongs (this is left implicit in the typing 
rules). 

2.4 AfRne-intuitionistic type system with regions 

Because types depend on regions, we have to be careful in stating in table [4] when a region- 
context and a type are compatible {R [ a), when a region context is well-formed {R h), when 
a type is well-formed in a region context {R h a) and when a context is well-formed in a 
region context {R h F). 
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RiA Ria 



r:{U,A)eR 



Rll 



RIB 



Rl{A^a) 



R I Reg^A 



: {U,A) € R R I A 



R\- Ria 



7? I- 



R^a 



R'rV 



Table 4: Type and context formation rules (unstratified) 



A more informal way to express the condition is to say that a judgement ri : (C/i, Ai ),..., r„ 
[Un^An) h a is well formed provided that: (1) all the region names occurring in the types 
^i,...,A„,a belong to the set {ri,...,r„} and (2) all types of the shape Reg^^i? with 
i G {1, . . . , n} and occurring in the types Ai, . . . , An-, a are such that B = Ai. For instance, one 
may verify that r : ([/, 1 ^ 1) H Reg^(l 1) can be derived while r : ([/, 1) h Reg^(l 1) 
and r : ([/, Reg^l) h 1 cannot. 

Next, table [5] introduces an affine-intuitionistic type system with regions whose basic 
judgement R]T \- P : a attributes a type a to the program P in the region context R and 
the context F. Here and in the following we omit the rule for typing a program [S \ P) which 
is symmetric to the one for the program {P \ S). 

We write aff{x : {u,A)) if u = 1 and aff{r : {[v,v'],A)) if either 1 G {v,v'} or V(r) and 
v' 7^ 0. We write aff{R; F) {saff{R; F)) if the predicate aff holds for at least one (for all) the 
hypotheses in R; F. Notice that the so called promotion rule that allows to duplicate a value 
requires that the related contexts are not affine. Because of this condition, the rule allows 
for a form of weakening of the hypotheses in the conclusion. We can then state the following 
weakening lemma. 

Lemma 1 (weakening) If R;T h P : a and R\±i R' h T ^T' then Ri±) R';T \i)T' h P : a. 

Example 2 Let R = r : ([1, 1], 1) and M = Ax. let Ix = x \n get(x) | set(x, *). We check that: 
R\_\- M : !Regj,l —o B. By the rule for affine implication, this reduces to: R;x : (1, !Regj,l) h 
let !x = X in get(x) | set(x, *) : B. If we define Rq = r : {[0,0],!), then by the rule for the let we 
reduce to: Rq]x : (l,!Reg^l) h x : IReg^l and R;x : (oo, Reg^l) h get(x) | set(x,*) : B. The 
former is an axiom while the latter is derived from: r : ([0, 1], 1); x : (oo, Reg^l) h get(x) : 1 
and r : ([1, 0], 1); x : (oo, Reg,^l) h set(x, *) : 1. Note that we can actually apply the function 
M to a value \y which is typed using the promotion rule as follows: 



We remark that the region context and the context play two different roles: the context counts 
the number of occurrences of a variable while the region context counts the number of input- 
output effects. In our example, the variable x occurs several times but we can be sure that 
there will be at most one input and at most one output in the related region. 

Example 3 We consider a functional M = Xf.Xf'.vy [fy \ f'y) which can be given the type 
(Reg^l ^ 1) ^ (Reg^l —ol)—o'Bina region context R = r : ([0,0], 1). We can apply M 
to the functions V\ = Ax.get(x) and V2 = Ax.set(x, *) which have the appropriate types in the 
compatible region contexts R' = r : ([0, 1], 1) and R" = r : ([1, 0], 1), respectively. Such affine 
usages would not be compatible with an intuitionistic implication as in this case one has to 
promote (put a ! in front of) Vi and V2 before passing them as arguments. 



Rq; y : {00, Reg^l) h y : Reg,.l 



i?o;2/:(cx),Reg,,l)h!y:!Reg,,l 
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Rhr x:{u,A)€r R\-r 



R-r\- X : A i?;rh*:l 



R;r\- Xx.M -.{A^a) 



i?i ttli?2;ri l+ir2 h MN : a 



l+J i?' h (r a r') saff{R';r') Ri-Vi}- A4 -.lA 

R-r\- M -.A -^aff{R-r) R2;T2,x : {oo, A) \- N : a 

Ri+} R'-VSV h \M : lA Ri U R2; Ti l±l r2 h let la; = M in iV : a 

R-r x-(uReR A)^P-a x : {u,Reg^A) e F 

U,L,x .(u,Keg^A)^ r .a_ r:{[v,v'],A)eR v' ^ 



R:r \- ux P : a 



i?; r h get(2;) : A 



r = a; : (m, Reg^A) ttir' V{r) T = a; : (ti, Reg^lA) tU T' P(r) 

R^r : {[v,v'],A)liiR' v^O R ^ r : {[v,v'],[A) ti) R' 

R\-r R'-r'\-V:A R\-r R':r'\-V:\A 



i?;r h set(a:, V) : 1 i?; T h pset(a:, V^) : 1 

r = a; : (u, Reg^A) U r' V(r) F = x : {u,Reg^\A) \±1 F' P{r) 

R = r : {[v,v'],A)li)R' v R ^ r : {[v,v'],[A) ti) R' 
R\-F R'-F'\-V:A R\-F R'-F'\-V:\A 



R;Fh{x^V):B R;F \- {x ^ V) : B 

Ri;Fi\-P:a R2;F2^S:'B Ri'Fi \- Pi : Oi Pi not a store i = 1, 2 



Riti)R2;Fi\i)F2 h (P 1 5) : Q Pi W P2 ; Ti W h (Pi | P2) : B 

Table 5: An affine-intuitionistic type system with regions 
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As in Barber-Plotkin system [2], the preservation of typing by substitution comes in two 
flavours: one for affine variables and another for intuitionistic variables. 

Lemma 4 (substitution) (1) IfR;T,x : {I, A) h M : a, R']T' h V : A, andR\i)R' h Tar' 
then i? W i?'; r tt) r' h [V/x]M : a. 

(2) // R;r,x : (oo, A) h M : a, R'; T' h W : \A, and R\S R' h T \S T' then i? W i?'; T W T' h 
[V/x]M : a. 

We rely on lemma S] to show that the basic reduction rules in table [2] preserve typing. 
Then, observing that typing is invariant under structural equivalence, we can lift the property 
to the reduction relation which is generated by the basic reduction rules. 

Theorem 5 (subject reduction) If R;T \- P : a and P ^ P' then R;r \- P' : a. 

In our formalism, a closed program is a program whose only free variables have region 
types (as in, say, the vr-calculus). For closed programs one can state a progress property saying 
that if a program cannot progress then, up to structural equivalence, every thread is either a 
value or a term of the shape £'[get(x)] and there is no store in parallel of the shape (x V) 
or (x V). In particular, we notice that a closed value of type \A must have the shape \V 
so that in well-typed closed programs such as let Ix = V In M ov £'[get(x)] | (x <;= V), V is 
guaranteed to have the shape \V required by the operational semantics in table [2l 

Proposition 6 (progress) Suppose P is a closed typable program which cannot reduce. 
Then P is structurally equivalent to a program 

vxi, ... ,Xm (Ml I • • • I M„ I I • • • I Sp) m,n,p>0 

where Mi is either a value or can be uniquely decomposed as a term E[get{y)] such that no 
value is associated with the address y in the stores Si, . . . ,Sp. 

3 Confluence 

In our language, each thread evaluates deterministically according to a call-by-value evalu- 
ation strategy. The only source of non-determinism comes from a concurrent access to the 
memory. More specifically, we may have a non-deterministic program if several values are 
stored at the same address as in the following example: 

get(x) I {x <= Vi) I (x <= V2) (2) 

or if there is a race condition on a volatile address as in the following example: 

Ei[get{x)] \ E2[get{x)] \ {x ^ V) (3) 
On the other hand, a race condition on a persistent address such as: 

Ei[get{x)]\E2[get{x)]\{x^V) (4) 

does not compromise determinism because the two possible reductions commute. We can rule 
out the problematic situations [2] and [3] if we remove from our system the region usage [00, 00] 
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u e {[1, c»], [0, ^]} u {[1, 1], [1, 0], [0, 1], [0, 0]} 



r = x:{u, Reg^A) W r' V(r) 
R^r : {[v,v'],A)W R' vj^O,v'j^oo 

i?hr R'-r'hV:A 



r = x:{u, Reg,,^) fe) r' V(r) 

R\-r R'-r'\-V:A 



R;r\- set(s:, V) : 1 



R;r \- {x <- V) : B 



Table 6: Restricted usages and restricted rules for confluence 



and if we restrict the usages of non-persistent stores to those in which there is at most one 
read effect. More precisely, we add a condition 7^ oo to the typing rules for volatile stores 
set(a;, V) and {x ^ V) as specified in table O 

We denote with he provability in this restricted system. This system still enjoys the 
subject reduction property and moreover its typable programs are strongly confluent. 

Proposition 7 (subj. red. and confluence) Suppose i2; F he P : a. Then: 



(1) IfP^P' then R; T he P' : a. 

(2) If P ^ P' and P P" then either P' = P" or there is a Q such that P' Q' and 
P" ^ Q. 



Proof. (1) We just have to reconsider the case where E[set{x,V)] — > E[*] \ (x V) and 
verify that if T h set(x, V) : 1 then R;T \- {x ^ V) : B which entails that E[*] \ {x ^ V) 
is typable in the same context as E[set{x, V)]. 

(2) The restrictions on the usages forbid the typing of a store such as the one in [2] where 
two values are stored in the same region. Moreover, it also forbids the typing of two parallel 
reads on a volatile store. □ 

We note that the rules for ensuring confluence require that at most one value is associated 
with a region. This is quite a restrictive discipline but one has to keep in mind that it targets 
regions that can be accessed concurrently by several threads. Of course, the discipline could 
be relaxed for the regions that are accessed by one single sequential thread. 

4 An afRne-intuitionistic type and effect system 

We refine the type system to include effects which are denoted with e,e', . . . and are finite 
sets of regions. The syntax of programs (table [1]) and their operational semantics (table [2]) 
are unchanged. The only modification to the syntax of types (table [3]) is that the affine 

e 

implication is now annotated with an effect so that we write: A —o a. This introduces a new 
dependency of types on regions and consequently the compatibility condition between region 
contexts and functional types in tabled] becomes: 



For instance, one may verify that the judgement r : (U, 1 — o 1) h is derivable. Also to allow 
for some flexibility, it is convenient to introduce a subtyping relation on types and effects as 
specified in table [71 



RiA R[a eC dom{R) 



R[{A^a) 
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A<A' 



e C e' C dom{R) 
A' <A R\-a<a' 



R\- a < a 



R\-]A< \A' 



Rh (A^ a) < {A' ^ a') 



e C e' C dom{R) 
R\- a<a' 



R-r h M : (Q,e) 
R h {a, e) < (q', e') 



R h (a,e) < (a,e') 



R;r\- M ■ {a',e') 



Table 7: Subtyping induced by effect containment 



We notice that tlie transitivity rule for subtyping 



R\- a<a' 



Rh a' <a' 



R\- a <a' 
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can be derived via a simple induction on the height of the proofs. The typing judgements 
now take the shape i?; F h P : (a, e) where the effect e provides an upper bound on the set 
of regions on which the program P may read or write when it is evaluated. In particular, we 
can be sure that values and stores produce an empty effect. As for the operations to read 
and write the store, one exploits the dependency of address types on regions to determine the 
region where the effect occurs (cf. [E])- For the sake of completeness, the typing rules are 
spelled out in table [HI 

We stress that these rules are the same as the ones in table [5] modulo the enriched syntax 
of the functional types and the management of the effect e on the right hand side of the 
sequents. The management of the effects is additive as in [15], indeed effects are just sets of 
regions. 

The introduction of the subtyping rules has a limited impact on the structure of the 
typing proofs. Indeed, if R \- A < B then we know that A and B may just differ in the 
effects annotating the functional types. In particular, when looking at the proof of the typing 
judgement of a value such as i?; F h Xx.M : {A, e), we can always argue that A has the shape 

Ai — o A2 and, in case the effect e is not empty, that there is a shorter proof of the judgement 

R;T\- Xx.M : {Bi ^ B2, 0) where R'^ Ai < Bi, Rh B2 < ^2, and 62 C ei. 

Then to prove subject reduction, we just repeat the proof of theorem [5] while using stan- 
dard arguments to keep track of the effects. 

Proposition 8 (subject reduction with effects) Types and effects are preserved by re- 
duction. 

It easy to check that a typable program such as -E[set(2;, V)] which is ready to produce an 
effect on the region r associated with x will indeed contain r in its effect. Thus the subject 
reduction property stated above as proposition [8] entails that the type and effect system does 
provide an upper bound on the effects a program may produce during its evaluation. 

5 Termination 

Terms typable in the unstratified type and effect system described in table [5] may diverge. For 
instance, the following term M stores at the address x a function that, given an argument. 
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R\-r x:{u,A)er 



R-r\-x: (A,0) 



R\-r 



R;Th*: (1,0) 



R;r,x : (1,A) h M : (a,e) -RiiTi ^ M : {A^a,e') 

R;r^Xx.M:iA^a,9) i?.; h iV : (A e") 



Til l±) i?2; Ti til r2 h MN : (q, e U e' U e") 



Etui?' h (rwr') saff{R';V') Ti h M : e) 

fl;rhM:(4,e) -^aff{R;V) fe;r2,a: : (oo,yl) h (iV, e') : a 



R\i)R';V\i)V' V- \M : {\A, e) i?i l+I E2; Ti l+J r2 h let la; = M in iV : (q, e U e') 

R-V,x: (?i,Reg,,^) h P : (a, e) 



i?;r h 1^2; P : (Q,e) 



P h r a: : (m, Reg,,A) G T 
r : ([t;,^;'], A) £ P t; V 
P;rhget(a;) : {r}) 



r = a; : (?t, Reg^A) ttl r' V(r-) V = x : {u,Reg^\A)\i)V' V{r) 

R = r:{[v,v'],A)^R' t; / P = r : ([«, t;'], !A) ttl P' 

Phr P';r' h V : (A,0) ^ l-r P';r' h : (!yl,0) 



P; r h set(x, : (1, {r}) P; T h pset(x, V) : (1, {r}) 

r = : (u, Reg,,A) a r' V(r) T = : Reg,,!^) l+l T' P(r) 

P = r : ([i;,t;'],A)l+li?' i; / R = r : {[v,v'],\A)\ii R' v^Q 
Phr P';r' h : (A,0) Phr P';r' h V : (!^,0) 



P;r h (a; ^ y) : (B,0) P; T h (x ^ : (B, 0) 

i?i;ri h P : (a,e) h P : (q,, ei) 

P2; r2 h S : (B, 0) P not a store i = 1, 2 



Pi tU P2; Ti tU r2 h (P I 5) : (a, e) Pi W P2; Ti W r2 h (Pi | P2) : (B, ei U 62) 

Table 8: An afHne-intuitionistic type and effect system 
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A r i domjR) Rh- Rh Rh A 

TV R,r : {U,A) h R\-l i? h B Rh\A 

R\- A R\-a eC dom{R) RV- r:{U,A)eR Rha e C domjR) 

Rh{A^a) Reg^A R h (a, e) 



Table 9: Rules for the formation of types and contexts (stratified) 

1 = 1, B = B, A^ a = A-^ a, \A = A, Reg^4 = Reg^^ 
ri : {Ui,Ai), . ..,rn : {Un, An) = ri : Ai, ...,?-„: A„ 



X : {u,A),r 



x:A,r ifAj^Reg^B 
r otherwise 



x = x, x^ = r, * = *, Xx.M = Xx.M, MN = MN 
\K = M, let [x = Af in TV = (Aa;.7V)M, i/a: M = M, 
get(a;'') = get(r), set(a::'', V) = set(r,]/), pset(a::'', 1/) = pset(r, ]£), 
(s" ^ 1/) = (r ^ ]/), (a;" 1/) = (r <^i:), P | P' = £ | £^ 



Table 10: Forgetful translation 



keeps fetching itself from the store forever: 

M = ux pset(a;, !(Ay.let \x = get(x) in xy)) ; let \x = get(rc) \n x * . (5) 

{r} 

One may verify that M is typable in a region context R = r : ([1, oo], !(1 — o 1)). 

This example suggests that in order to recover termination, we may order regions and 
make sure that a value stored in a certain region when put in an evaluation context can 
only produce effects on smaller regions. To formalise this idea, we introduce in table [9] rules 
for the formation of types and contexts which are alternative to those in table [H Assuming 

M 

R = r : (C/, 1), one may check that the judgement r : {U,l),r' : {U',1 ^ 1) h is derivable 

{r'} 

while r' : ([/', 1 — o 1) h is not. 

It is easy to verify that the stratified system is a restriction of the unstratified one and that 
the subject reduction theorem [8] still holds in the restricted stratified system. If confluence is 
required, then one may add the restrictions spelled out in table El 

Concerning termination, we recall that there is a standard forgetful translation (_) from 
affine-intuitionistic logic to intuitionistic logic which amounts to forget about the modality ! 
and the usages and to regard the affine implication as an ordinary intuitionistic implication. 
Thus, for instance, the translation of types goes as follows: [A = A and A —q B = A ^ B^; 
while the translation of terms is: |M = M and let Ix = M in N = {Xx.N_)M_. In table [lOl 
we lift this translation from the stratified affine-intuitionistic type and effect system into a 
stratified intuitionistic type and effect system defined in [1]. 

The translation assumes a decoration phase where the (free or bound) variables with a 
region type of the shape Reg^A are labelled with the region r. Intuitively, the intuitionistic 
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system abstracts an address x related to the region r to the region r itself so that a decorated 
variable rr^ translates into a constant r. In the intuitionistic language, a region r is a term 
of region type Reg^^, for some A and all stores are persistent. The full definition of the 
language is recalled in appendix [9l 

It turns out that a reduction in the affine-intuitionistic system is mapped to exactly a 
reduction in the intuitionistic system. Then the termination of the intuitionistic system 
proved in [T] entails the termination of the affine-intuitionistic one. 

Theorem 9 (termination) Programs typable in the stratified affine-intuitionistic type and 
effect system terminate. 

6 Conclusion 

We have presented an affine-intuitionistic system of types and effects for a functional-concurrent 
programming language. The functional core of the system is based on Barbed-Plotkin affine- 
intuitionistic logic which distinguishes between affine and intuitionistic hypotheses. The lan- 
guage also includes a 'non-logical' part with operators to read and write dynamically generated 
addresses of a 'store'. In the type system, such addresses are abstracted into a finite number 
of regions. We have shown that suitable disciplines of region usage and region stratification 
allow to regain confluence and termination, respectively. 

Beyond these crucial properties, we hope to show in future work that other interesting 
properties of the functional core can be extended to the considered framework. We think 
in particular of the construction of denotational models (see, e.g, [5]) and of bounds on the 
computational complexity of typable programs (see, e.g., 
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A Proofs 

A.l Proof of theorem [5] 

Lemma 10 (weakening) If R;T h P : a and R' h T ^T' then R^ R';T \±)T' h P : a. 

Proof. By induction on the typing of P. Following tabled there are 14 rules to be considered 
of which we highlight 3. 

P = MN We have: 

Ri;Ti\- M : a R2;T2^N:A 

Ri tt)i?2;ri h mn a ' 

We notice that the composition operation l±l on contexts is associative and commutative 
(when it is defined) and that (i?il±)i?2tt)^') ^ (ril±)r2tt)r') entails that (i?itt)i?0 h (riWr'). 
Hence, by induction hypothesis, we get Ri tt) R'; Ti 1+) T' h M : A — o a, from which we 
derive: 

Ri\SR';Ti\ST' \- M : a R2;T2\-N:A 

i?i a i?2 tt) R'; Ti a tt) r' h mn -. a ■ 

P = \M We have: 

R\SR"\-T\S T" sajf{R"; T") 
^ajJ{R;T) R;r \- M : A 

We can always decompose R' as R[ tt) R'^ and T' as r[ tt) T'^ so that ^aff{R'^;T'^) 
and sajJ{R[;T[). By induction hypothesis, we have R td R'^;T ^ T'^ \- M : A. We 
notice that -^aff{R td R'^; T td T'^) and saff{R[ td R"; T[ td T") (remember that 1 tt) oo is 
undefined). Hence we derive: 

{R w R'^ a R[ w R") h{risr'^is r; a r") saff{R[ a r"; r; a r") 

^ajf{Ri±iR'^;Ti±)T'^) R^ R'^;T ^T'^h M : A 

R\SR'\SR";TiST'\ST"^lM -.lA 

P = set(x, V) We have: 

r = X : (n, Reg^A) a T" 
R = r : {[v,v'],A)\±)R" v^O 
i? h r R"; T"hV :A 

R;T\- set(x,y) : 1 ' 
By induction hypothesis, we have R" [tl R';T" \±lT' \- V : A, from which we derive: 

r a r' = : (n, Reg,.A) a (r" a r') 

R\i)R' = r:{[v,v'],A)^{R">SR') v^O 

i? a i?' h r a r' r"^ r'- T"\sT'hv -.a 
i?ai?';rar' h set{x,v) i ' 

We notice that this argument still holds when introducing the restriction v' ^ oo 
in order to guarantee confluence (cf. table (H). Indeed, the restriction 7^ oo is 
equivalent to require that the usage of the region r ranges in the family of usages 
{[1,1], [1,0], [0,1], [0,0]}. □ 
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Lemma 11 (afRne substitution lemma) If Ri;Ti,x : {1, A) h P : a, R2',^2 ^ V : A, and 
i?i tt) i?2 ^ Ti a r2 then Ri tt) R2] Ti tt) h [V/x]P : a. 

Proof. By induction on tiie typing of P. We liighlight 4 cases out of 14. 

P = MN We liave: 

R3;T'^h M -.C Ri;T'^hN:C 

i?3 tt)i?4;r'3 ar^i h mn a ' 

Because x : (1,^) is an affine hypotliesis, it can occur exclusively either in Fg or in 
We consider both cases. 

1. Tg = r3,x : {1,A) and T'^ = T4 with x ^ dom{T4). By induction hypothesis we 
have R2 1+) R3; Ta 1+) h [V/x]M : C ^ a. Plus x ^ FV{N) so [V/x]N = N, hence 
i?4;r4 H [V/x]N : C. Then we derive: 

R2 a Rz-J2 W Pg h [V/x\M -.C^a Rr,rih [V/x]N : C 

i?2 W i^s tt) R4; P2 W Ps a P4 h [V/x]{MN) : a ' 

2. P3 = P3 with x ^ (io?n(P3) and P4 = P4, x : (1, A). 

By induction hypothesis we have R2 W Ra; P2 W P4 ^ [V/x]N : C. Plus x ^ FV{M) 
so [V/x]M = M, hence R3; P3 h [V/x]M : C ^ a. Then we derive: 

Rs; P3 h [y/x]M : C7 ^ a i?2 « -R4; r2 W P4 ^ [y/x]7V : C 

i?2 tt) -R3 tt) Ra; P2 W P3 a P4 h [V/x]{MN) : q ' 

P = IM We have: 

Ri^HR'h (Pi a (r , X : (1, yl))) sa#(i?'; P', x : (1, ^)) 

fii;PihM:A ^a#(i?i;Pi) 

fli a i?'; Pi W (P', X : (1, ^)) h !M : !^ 

We deduce that x ^ FV{\M), hence [F/x](!M) = !M and i?i W i?'; Pi W P' h [y/x](!M) : 
By lemma [lOl we get i?i W i?' a i?2; Pi W P' tU P2 h [y/x](!M) : \A. 



P = let \y = M \n N Renaming y so that y ^ x, we have: 

i?3;P^hM:!C i?4; P4, y : (00, C) h iV : a 



R3 W i?4; Pg a P4 h let ly = M \n N : a 
As in the case of application, we distinguish two cases. 

1. P3 = P3, X : (1, A) and P4 = P4 with x ^ doni{T4). 

By induction hypothesis, we have R2^R3; P2l±'P3 ^ [V/x]M : \C. Plus x ^ FF(A^) 
so [y/x]A^ = N, hence R^; P4, y : (00, C) h [F/x]A^ : a. Then we derive: 

R2 W ii3; r2 a P3 ^ [y/x]M : \C R^; P4, ?/ : (00, C) h [F/x]Af : a 
i22 ttl^s W^4;P2 ttlPs tt)P4 H [F/x](let \y = M\nN):a ' 
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2. = T3 with X ^ domiTs) and T'^ = T4,x : (1, A). 

By induction hypothesis we have R2 tf R4; T2, y : (00, C) l±) r4 h [IZ/xjA'' : a. Plus 
X ^ FV{M) so [y/xjM EE M, hence /^s; Tg h [y/x]M : !C. Then we derive: 

Rs;rs h [y/x]M : !C i?2 W -R4; Tg, y : (00, C) W r4 h [y/x]iV : a 
i?2 ttl^3 W^4;r2 ttlTg tt)r4 h [y/x](let !y = M in iV) : a ' 

set(y, y') We distinguish two cases. 
1. If y 7^ X we have: 

Ti,x : {I, A) = y: {u,Reg^C) 
Ri = r : {[v,v'],C)ti)R[ v^O 
RihTi,x : {1,A) R[;T[hV':C 

Ri;Ti,x: {l,A)^5etiy,V') ■ 1 

We deduce that r[ = T'/ l±) x : (1,^), and by induction hypothesis we get R'l 1+) 
i?2; r'/ a r2 h [V/x]V' C, from which we derive: 

Ti = y : (n, Reg.C) W T'/ 
= r : ([z;,u'],C7) Wi?; t; / 

i?i h Ti i?; a i?2; r'/ w r2 h : c 



i?i;ri h [V/x]set{y,V') ■ 1 

By lemma [ini we obtain Ri tt) i22; Ti tt) r2 H [y/x]set(y, V) : 1. 
2. If y = X then [y/x]set(y, F') = set{V,V'), A = Reg^C, and u = 1. Moreover V 
must be a variable, thus we can derive: 

ri = v: (1, Reg.c) w r; 

Ri=r:{[v,v'],C)\±)R[ v^O 



Rr,Tih[V/x]set{y,V'):l 
and by lemma[lO]we get Ri tt) i22; Ti tt) r2 h [l//x]set(y, V) : 1. □ 

Lemma 12 (intuitionistic substitution lemma) If Ri;Ti,x : (00,^) h P : a, -R2;r2 l~ 
\V : !A, and i?i tt) i?2 H Ti tt) r2 then Ri tt) ^2; Ti tt) r2 h [y/x]P : a. 

Proof. By induction on the typing of P. We highlight 4 cases out of 14. 

P = MN We have: 

P3;r^hM:C^a i?4;r^h7V:C 

i?3tt)i?4;r'3 tdP^i h MTV : a ' 

We distinguish 3 cases. 

1. Fg = Pg, x : (00, A) and P4 = P4 with x ^ dom{T4). 

By induction hypothesis we have R2 tt) i23;P2 W Pa l~ [V/x]M : C ^ a. Plus 
X ^ FF(iV) so [F/x]A^ = N, hence P4; P4 h [V/x]N : C. Then we derive: 

R2 a P3; r2 W P3 h [V/x]M -.C^a i?4; P4 H [y/x]iV : c 

i?2 tt) -R3 tt) P4; P2 W Ps W P4 ^ [y/x](MiV) : a ' 
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2. Fg = with X ^ dom{T3) and r4 = x : (oo, A). 

By induction hypothesis we have R2 tt) /?4; r2 tt) r4 h [V/x]N : C. Plus x ^ FF(M) 
so [y/x]Af = Af , hence Fg h [y/x]M : C —o a. Then we derive: 

^3; Ts H [y/x]M : C ^ a i?2 W -R4; Ta W r4 h [V/x\N : C 

i?2 tt) -R3 tt) i?4; Ta tt) a r4 h [y/x](MiV) : a ■ 

3. Tg = Fs, X : (cx), A) and r4 = r4, x : (00, A). 

By induction hypothesis we have R2 ^ R3;T2 ^ T3 h [V/x]M : C ^ a and i?2 tt) 
R4; Ta tt) r4 h [F/x] : C. Moreover we have: 

i?5 W i?' h Tg a r' saff{R';T') 
R^-Vr,hV:A ^aff{R^-T^) 

R2;T2^\V:\A 

where R2 = i?5 tt) R' and r2 = Fs tt) F'. Hence we know that ah the hypotheses of R' 
and F' are of weakened regions and variables. Thus we also have iis )+) iis; F3 1±) F5 h 
[V/x\M -.C^a and R4 W ii5;F4 W F5 h [V/x]N : C. Plus from -^aff[R^]T^) we 
get i?5 tt) -R5 = i?5 and F5 tt) F5 = F5, and we can derive: 

R3 w i?5; Ts a F5 h [y/x]M : C ^ a /24 w ^5; r4 W F5 h [y/x]iV : c 

R3\±)R4^ R5; F3 tt) F4 td F5 h [V/x]{MN) : a ' 
By lemma [10] we obtain i?2 tt) -R3 tt) i?4; F2 tt) F3 tt) F4 h [V/x]{MN) : a. 

\M Suppose: 

i?5Wi?'^(r5,x:(oo,A))WF' saff{R'-T') 
R5] F5, x: {00, A) hM:B ^aff{R^-T^, x : (00, A)) . 
R5 W R'; (F5, X : (00, A)) W F' H IM : !5 

Re^RjhTe^rr saff{Rr,Tj) 
ajJ{Re;Tfi) Re;TehV:A 

R2;r2 h IV : lA 

with R2 = Rq^ Rj and F2 = Fg tt) F7. Hence we know that all the hypotheses of Rj 
and F7 are of weakened regions and variables, such that Rq; Tq\- W : \A. By induction 
hypothesis we get i?5 tt) i?6 ; tt) Fg H [y/x]M : B and we can derive: 

(i?5 W Re) W {Rr W R') ^ {^5 W ^e) W O^r « T') saif (i?7 W R'; Tr W P') 
^aff(fi5afi6;r5aF6) R5\iiR6;T5\sTeh[V/x]M : B 

iis w ^2 tti P5 w r2 tti F' K [y/x]!M : !s 

let !y = M in We have: 

i?3;F^hM:!C i?4; F4, y : (00, C) h iV : a 

i?3 tt) R4; F3 tt) F^t h let !y = M in iV : a ' 

with y ^ X. We just spell out the case where F3 = F3, x : {00, A) and F4 = F4, x : (00, A). 
By induction hypothesis, we have i?2 tt) i?3 ; F2 tt) F3 h {V/x]M : \C and i?2 tt) -R4; (F2, y : 
(00, C)) tt) F4 h [V/x]N : a. Moreover we have: 

iJsW^'^rsWP' saff{R'-X) 
Rr,-T^^V:A -^aff{R^-T^) 
R2]T2^\V:IA 
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where r2 = Tsl+ir' and R2 = R^^R'. Hence we know that all the hypotheses of R' and T' 
are of weakened regions and variables. Thus we also have R^^R^; rstblFs h [V/x]M : IC 
and R4 1+) i?5;(r4,y : (00, C)) tt) h [V/x]N : a. Plus from ^aff{R5;T5) we get 
Fs l±l Fs = Fs and R^^ R5 = R5, and we can derive: 

i?3W^5;r3aF5 h [v/x]m \c 
Rj a i^s; (r4, y : (qq, g)) a F5 h [l^/x]iV : g . 
i?3 a i?4 W ^5;r3 a F4 W F5 h [y/x](let \y = M\nN):a 

By lemma [TUl we obtain R2^ R^^ R4; F2 W F3 l±l F4 h [y/x](let \y = M in N) : a. 

P = set{y, V') We just look at the case y x. We have: 

Tux : {oo,A) =y : (u, Reg^C) W F^ 
Ri=r : {[v,v'],C)^R[ v' ^ 
i?i h Fi,x : (00,^) R[;T[hV':C 

Ri;Ti,x : {00, A) h set{y,V') : 1 ' 

We deduce that F'^ = T'( l±l x : (00, A), and by induction hypothesis we get R[ l±) R2; T'( l+l 
r2 l~ [V/x]V' : C, from which we derive: 

Fi = y : (7/, Reg,C7) a F'/ 
/Zi = r : ([?;,7;'],C)Wi?'i / 

i?i h Fi i?; a i?2; r'/ w F2 h [v/x]v' : c 

i?i a i22; Ti W F2 h [T//x]set(y, F') : 1 ' 

□ 

Lemma 13 (structural equivalence preserves typing) If R;T \- P : a and P = P' then 
R;Th P' -.a. 

Proof. Recall that structural equivalence is the least equivalence relation induced by the 
equations stated in table [2] and closed under static contexts. Then we proceed by induction 
on the proof of structural equivalence. This is is mainly a matter of reordering the pieces of 
the typing proof of P so as to obtain a typing proof of P'. □ 

Lemma 14 (evaluation contexts and typing) Suppose that in the proof of R;T h E[M] : 
a we prove R';T' h M : A. Then replacing M with a M' such that R';T' h M' : A, we can 
still derive R;T \- E[M'] : a. 

Proof. By induction on the structure of E. □ 

Lemma 15 (functional redexes) If R;T h E[A] : a where A has the shape {Xx.M)V or 
let lx = V \n M then R;T h E[[V/x]M] : a. 

Proof. If A = {Xx.M)V we appeal to the affine substitution lemma [TT] and if A = let Ix = 
V in M we rely on the intuitionistic lemma [T2l This settles the case where the evaluation 
context E is trivial. If it is complex then we also need lemma [TH □ 
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Lemma 16 (side-effects redexes) If R;T \- A : a where A is one of the programs on the 
left-hand side then i?; T K A' : a where A' is the corresponding program on the right-hand 
side: 



(1) E[set{x,V)] 

(2) i?[pset(x,y)] 

(3) E[get{x)] \{x^V) 

(4) ^[get(x)] I {x <= \V) 



E[*] \{x^V) 
E[*] \ {x^V) 

E[V] 
E[\V] I {x 4= \V) 



Proof. We proceed by case analysis. 



1. Suppose we derive R;T h E[5et{x, V)] : a from R2; T2 H set(x, V) : 1. By the typing rule 
for set(a;, V) we know that R2 = r : {[v, v'],A) l±l R3, V(r), r2 = x : {u, Reg^^) tt) T3, and 
R^-jT^ \- V : A. It follows that R2;T2 \- {x -i^ V) : 'B. We can decompose R2',^2 into an 
additive part (i?2;r2)'^ and a multiplicative one {R2;T2y. Then from {R2;T2)^ h * : 1, 
we can derive i?i;ri h E[*] : a, where {Ri;Ti) 1+) {R2;T2y = R;T. 

2. Suppose we derive i?; F h E'[pset(x, y)] : a from i?2;r2 H pset(x,y) : 1. By the typing 
rule for pset(x, we know that R2 = r : {[v,v'], lA)[^)Rs, V{r), T2 = x : {u, Reg,.lA)^Ts, 
and -R3;r3 h V : lA. It follows that R2',^2 1~ (x "4= y) : B. Then we reason as in the 
previous case. 

3. Suppose Ri;Ti h £'[get(x)] : a is derived from -R2;r2 ^ get(x) : A, that -R3;r3 h (x ^ 
V) : B, and that R;T = {Ri;Ti) tt) {R-y^T^). Then {R2;T2) W {R3;Ts) h V : A, hy 
weakening. Also, let r be the region associated with the address x. We know that 
V(r) and that R2 must have a reading usage on r. It follows that ajf{R2]T2) and 
therefore the context E cannot contain a sub-context of the shape \E' . Thus from 
(-R2; r2) tt) {R3; Ts) h V : A we can derive i?; F h E[V] : a. 

4. Suppose -Ri;ri h £;[get(x)] : a is derived from i?2;r2 H get(x) : \A, that i?3;r3 h 
(x <^= \V) : B, and that R;T = (i?i;ri) l±) (i?3;r3). By the promotion rule, i?3;r3 is a 
weakening of i?4;r4 such that -^aff{Ri\T4) and -R4;r4 \- V : A. Then from i?4;r4 h 
\V : \A we can derive R'] V h : a where i?; T is a weakening of {R'; V) W (i?3; Fg). 
□ 

Theorem 17 (subject reduction) If R;T \- P : a and P ^ P' then R-T \- P' : a. 

Proof. We recall that P ^ P' means that P is structurally equivalent to a program C[A] 
where C is a static context, A is one of the programs on the left-hand side of the rewriting 
rules specified in table [21 A' is the respective program on the right-hand side, and P' is 
syntactically equal to C[A']. 

By lemma [T3| we know that i?;F H C[A] : a. This entails that R';T' \- A : a' for suitable 
R',T',a'. By lemmas [15] and [T6l we derive that R';r' h A' : a'. Then by induction on the 
structure of C we argue that i2; F h C[A'] : a. □ 



A. 2 Proof of theorem [9] 

Table [TT] summarizes the main syntactic categories and the reduction rules of the intuitionistic 
system. It is important to notice that in the intuitionistic system regions are terms and that 
the operations that manipulate the store operate directly on the regions so that we write: 
get(r), pset(r, F), and (r <^= V) rather than get(x), pset{x,V), and (x <J= V). 

Table [l2] summarizes the typing rules for the stratified type and effect system. 
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Syntax: terms 



x,y,. 




(Variables) 


r,s,. 




(Regions) 


V :■- 


a- 1 * 1 r 1 Xx.M 


(Values) 


M :■- 


-- V 1 MM 1 get(y) 1 pset(y, V) \ {M \ M) 


(Terms) 


S ::= 


{r <= v) 1 (S 1 S) 


(Stores) 


P :■- 


M 1 S\iP\ P) 


(Programs) 


E :■- 


[ ] 1 EM 1 VE 


(Evaluation Contexts) 


C :■- 


[]\{C\P){P\C) 


(Static Contexts) 



Operational semantics 

P\P' = P' \P (Conimutativity) 

(P I P') \P" = P\ [P' I P") (Associativity) 

E[{\x.M)V] E[[V/x]M] 
E[get{r)],{r^V) ^ E[V],{r^V) 
E[pset{r,V)] E[*],{r^V) 

Syntax: types and contexts 

a:-- A\B (Types) 

A:~l\{A^a) II Reg^yl (Value-types) 

r ::— xi : Ai, . . . , Xn ■ An (Contexts) 

R ::= ri : Ai, . . . , r„ : An (Region contexts) 

Table 11: Intuitionistic system: syntactic categories and operational semantics 

Proviso To avoid confusion, in the following we write \-ai for provability in the affine- 
intuitionistic system and h/ for provability in the intuitionistic system. 

The translation acts on typable programs. In order to define it, it is useful to go through a 
phase of decoration which amounts to label each occurrence (either free or bound) of a variable 
X of region type Regj.A with the region r. For instance, suppose R = ri : {Ui, Ai), . . . , r4 : 
([74,^4) and suppose we have a provable judgement: 

R; xi : [ui, Regj._^A) ^ai xi \ let \x2 = ■ ■ ■ '\r\ X2 \ Xx^.x^ \ ux^ X4 : (B, 0) 

Further suppose in the proof the variable Xi relates to the region for i = 1, . . . , 4. Then the 
decorated term is: 

x^^ I let 1x2 = ■ ■ ■ in a^g^ | Xx^.x'^^ \ UX4 X4* . 

The idea is that the translation of a decorated variable x^ is simply the region r so that in 
the previous case we obtain the following term of the intuitionistic system: 

n I (A2;2.r2)(. . .) I Axs.ra | . 

Note that in the translation the z^'s disappear while the A's and let's are simulated by the 
intuitionistic A's. 

Assuming the decoration phase, the forgetful translation (_) is defined in table [TOl 
Lemma 18 The forgetful translation preserves provability in the following sense: 
1. IfR^Ai theuRhj. 
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Stratified region contexts and types 

R\- A r ^ dom{R) RV- RV- 



0h R,r:Ah EhB 

Rh A Rh a eC dom(R) R\- r : A £ R R\- a eC^ dom{R) 



Rh{A^a) R\-Reg^A R\- {a,e) 

SUBTYPING RULES 

R\- A' <A R\-a<a' 
e C e' C dom(R) 

R\-a<a 



Rh (A-^a) <{A' a') 

ft \- n < n' 

eC e'cIom(R) i^; F h M : (a, e) R^ {a,e) < ja' ,e') 



R h (a,e) < ia',e') 



Terms, stores, and programs 
R\-r x:Aer R\-r r-.AeR R\-r 



ii; r h a: : (A, 0) i?; T h r : (Reg,.A, 0) i?;rh*:(l,0) 

R;r,x : A\- M : {a,e) R-F h M : {A ^ a, ei) R;r h N : {A,es) 



R;r\- Xx.M : (yl ^ a, 0) R-F \- MN : (a, ei U 62 U eg) 

R;F^V: {Reg^A, 0) R;F h V : {Reg^A, 0) i?; T h V : {A, ( 



R;Fh get{V) : {A, {r}) R;F h pset{V, V) : (1, {r}) 

R;Fh{r^V):{B,9) i?,rh5.(B,0) 



R;F \- {P \ S) : (a,e) 

Pi not a store R;F \- Pi : (q^, Ci), i = 1, 2 
R;Fh{Pi I P2) : (B,ei Ue2) 

Table 12: Intuitionistic system: stratified types and effects 
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2. If R OL then R \-j a. 

3. If R \-Ai {a, e) then R hj {a, e) . 

4- If R \~Ai a < a' then Rhj a < a^. 

5. IfR^Ai (a,e) < {a',e') then Rhj (a, e) < (a^,e'). 

6. If R ^Ai r then R h^/ £. 

7. If R;T \-Ai P ■ (a, e) ( and P has been decorated) then R',T^iP- {a, e) . 

Proof. By induction on the provability relation \-ai- 

Concerning the rules for types and region contexts formation and for subtyping, the for- 
getful translation provides a one-to-one mapping from the rules of the affine-intuitionistic 
system to the rules of the intuitionistic one (the only exception are the rules for lA which 
become trivial in the intuitionistic framework). Also note that dom{R) = dom{R). With 
these remarks in mind, the proof of (1-5) is straightforward. 

The proof of (6) follows directly from (2). We just notice that the forgetful translation of 
a context F eliminates all the variable associated with region types. The point is that if these 
variables occur in the program they will decorated and therefore in the translation they will 
be replaced by regions, i.e., constants. 

In the proof of (7), it is useful to make a few preliminary remarks. First, weakening is 
a derived rule for the intuitionistic system, so that if we can prove R;T \-j P : (a, e) and 
R,R' h F,F' then we can prove R,R']T,r' h/ P : (a,e) too. Second, if Ri tt) R2 is defined 
then Ri = R2 = i?i tt) i?2 . The proof is then a rather direct induction on the provability 
relation \-ai- When we discharge an assumption and when we introduce a formal parameter 
with A or with let we must distinguish the situation where the variable under consideration 
has region type, say, Regj.A. In this case the variable does not occur in the translation of the 
related context F and it is replaced in the term by the region r. □ 

Next we want to relate the reduction of a program and of its translation. As already 
mentioned, in the intuitionistic system all stores are persistent. Consequently, a reduction 
such as: 

get(x") I (x" ^ y) ^ y 

might be simulated by 

get(r) \ {r ^V) ^V\ {r ^V) . 

In other terms, the translated program may contain more values in the store than the source 
program. To account for this, we introduce a 'simulation' relation S indexed on a pair R; F 
such that R\- T and F is just composed of variables of region type: 

SR.r = {{P,Q)\R;rhAiP:{a,e), R; -hi Q : {a,e), Q^{P\S)} 

Lemma 19 (simulation) // (P, Q) € Sr-t and P ^ P' then Q ^ Q' and (P', Q') € Sr-t- 

Proof. Suppose (P,Q) G Sr-t- Then (P,P) G Sr-t- Also ii P P' then R-T h^/ P' by 
subject reduction of the affine-intuitionistic system (incidentally, subject reduction holds for 
the intuitionistic system too [1]). 
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By definition P ^ P' means that P is structurally equivalent to a process Pi which can 
be decomposed in a static context C and a redex A of the shape described in table [2j 

We notice that the forgetful translation preserves structural equivalence, namely if P = Pi 
then P = Pi. Indeed, the commutativity and associativity rules of the affine-intuitionistic 
system match those of the intuitionistic system while the rules for commuting the z/'s are 
'absorbed' by the translation. For instance, vx P \ P' = P_ \ P^ = vx {P \ P') with x not free 
in P'. 

We also remark that the forgetful translation can be extended to static and evaluation 
contexts simply by defining [] = []. Then we note that the translation of a static (evaluation) 
context is an intuitionistic static (evaluation) context. In particular, this holds because the 
translation of a value is still a value. 

Following these remarks, we can derive that Q = C[A] | S. Thus it is enough to focus 
on the redexes A and show that each reduction in the affine-intuitionistic system is mapped 
to a reduction in the intuitionistic one and that the resulting program is still related to the 
program P' via the relation Spt-r- 

To this end, we notice that the translation commutes with the substitution so that 
[V/x]M = \V /x]M . This is a standard argument, modulo the fact that the variable of 
region type have to be given a special treatment. For instance, we have: 

[y^ /x^]x^' = y^' = r = [r/x^']r = [y^ /x^']xf_ . 

Then one proceeds by case analysis on the redex A. Let us look at two cases in some detail. 
If A = £;[let \x = V \n M]^ E[[V/x]M] then 

A = P [let \x = V\n M] = ^[(Ax.M)]/] ^ 

E[[V/x]M] = E[ [V/x]M ] = E[[V/x]M . 

On the other hand if A = E[get{x^)] \ {x"^ <— V) then 

A = P[get(r)] \{r^V_) E[V] \{r^V_) = E[V] \{r^V_). 

Notice that in this case we have an additional store (r <^ y) which is the reason why in 
the definition of the relation S we relate a program to its translation in parallel with some 
additional store. □ 

Theorem 20 //P;_h/ P : (a, e) then all reductions starting from P terminate. 

Corollary 21 (termination) // R; T P '■ (a, e) then all reductions starting from P 
terminate. 

Proof. By contradiction. We have (P, P) € Sr-^y- and R;_^iP: (a, e). If there is an infinite 
reduction starting from P then the simulation lemma [19] entails that there is an infinite 
reduction starting form P. And this contradicts the termination of the intuitionistic system 
(theorem [20]). □ 
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